(Retarget to Fedora 20 as agreed with Feature owner (lack of manpower for F19))

(31 intermediate revisions by 8 users not shown)

Line 2:

Line 2:

== Summary ==

== Summary ==

−

All granting of privileged operations to ordinary users should ''exclusively'' be handled by a centrally managed authority. Usermode/consolehelper should be phased-out and entirely replaced by polkit.

+

Access control of privileged operations for ordinary users should be handled ''exclusively'' by a centrally managed authority.

+

+

Usermode/consolehelper should be phased out and be replaced entirely by polkit.

== Owner ==

== Owner ==

Line 10:

Line 12:

* Name: [[User:Kay| Kay Sievers]]

* Name: [[User:Kay| Kay Sievers]]

* Email: kay@redhat.com

* Email: kay@redhat.com

+

+

* Name: [[User: Notting| Bill Nottingham]]

+

* Email: notting@redhat.com

== Current status ==

== Current status ==

−

* Targeted release: [[Releases/18 | Fedora 18]]

+

* Targeted release: [[Releases/20 | Fedora 20]]

−

* Last updated: 2012-04-03

+

* Last updated: 2013-03-20

* Percentage of completion: 20%

* Percentage of completion: 20%

== Detailed Description ==

== Detailed Description ==

−

The usermode/consolehelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

+

The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

−

Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.

+

These days, most privileged system operations are already controlled by polkit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations.

−

* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.

+

* polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments.

−

* The concept of a ''console user'' is no longer a sufficient concept to derive privileges from. Polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted, if only a single user session runs at that time.

+

* The concept of a ''console user'' (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time.

Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.

+

Make sure you can call all the tools which used to use usermode and are asked the appropriate authentication.

== User Experience ==

== User Experience ==

Line 183:

Line 188:

== Contingency Plan ==

== Contingency Plan ==

<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "None necessary, revert to previous release behaviour." Or it might not. If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->

<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "None necessary, revert to previous release behaviour." Or it might not. If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->

−

Even, if we cannot drop usermode, the changes in the packages do not have to be reverted.

+

Even if we cannot drop usermode for F19 (because not all packages have been converted) the changes in the packages do not have to be reverted.

== Documentation ==

== Documentation ==

−

<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. →

<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->

+

−

<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->

+

* The following packages now use the polkit policy configuration instead of the usermode/consolehelper configuration. Please migrate any policy, which you have created for those packages. Documentation about polkit can be found on http://www.freedesktop.org/software/polkit/docs/latest/

−

*

+

+

<list of packages>

== Comments and Discussion ==

== Comments and Discussion ==

−

* See [[Talk:Features/UsermodeMigration]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->

+

* See [[Talk:Features/UsermodeMigration]]

−

−

[[Category:FeaturePageIncomplete]]

+

[[Category:FeatureReadyForWrangler]]

<!-- When your feature page is completed and ready for review -->

<!-- When your feature page is completed and ready for review -->

<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->

<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->

<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->

<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->

<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Current status

Detailed Description

The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

These days, most privileged system operations are already controlled by polkit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations.

polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments.

The concept of a console user (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time.

This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged.
The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

Documentation

Release Notes

The following packages now use the polkit policy configuration instead of the usermode/consolehelper configuration. Please migrate any policy, which you have created for those packages. Documentation about polkit can be found on http://www.freedesktop.org/software/polkit/docs/latest/